"You still use the password after all" - Exploring FIDO2 Security Keys in a Small Company
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
“You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company Florian M. Farke Lennart Lorenz Theodor Schnitzler Ruhr University Bochum tracekey solutions GmbH Ruhr University Bochum Philipp Markert Markus Dürmuth Ruhr University Bochum Ruhr University Bochum Abstract Phishing attacks become more and more sophisticated, lead- The goal of the FIDO2 project is to provide secure and usable ing to often transparent and nearly indistinguishable imita- alternatives to password-based authentication on the Web. It tions of valid authentication requests [3, 27]. relies on public-key credentials, which a user can provide via Many alternatives have been proposed, but their usage is security tokens, biometrics, knowledge-based factors, or com- minimal [5]. Biometric schemes such as fingerprint or face binations. In this work, we report the results of a qualitative recognition are regularly used to unlock phones, but they study accompanying the deployment of FIDO2-enabled secu- are not used for remote authentication. Authentication with rity tokens for primary authentication in a web application of hardware tokens, typically in the form of two-factor authenti- a small software company operating in the life sciences indus- cation (2FA) combined with a knowledge-based scheme like try. We assisted the company in implementing and setting up passwords, provides high security, but distributing and manag- FIDO2-enabled authentication on its public test and evalua- ing the hardware keys can become a great hurdle. 2FA using tion server. Over four weeks, we observed the authentication possession-based factors such as smartphone apps or SMS routine of 8 employees out of 10 employees regularly using tokens as a second factor is less secure, yet easier to set up the web application, including sales representatives, software and manage, but has only found limited adoption (e.g., less developers, project managers, and account managers. We than 10 % of active Google accounts use 2FA [18]). gathered data through login diaries, server logs, and semi- The FIDO2 project, including both the Fast IDentity On- structured interviews to assess themes regarding usability, line (FIDO) Alliance [13] – an industry association – and perceived security, and deployability. We found that partici- the World Wide Web Consortium (W3C) [29], aims at offer- pants had several concerns, like losing the security token and ing an alternative to password-based authentication that is longer authentication times, while the security benefits were both usable and secure. It consists of two main components: largely intangible or perceived as unnecessary. the Client to Authenticator Protocol 2 (CTAP2), governing the communication between the client and (external) authen- tication hardware, and the Web Authentication (WebAuthn) 1 Introduction specification defining the server-facing API on the client. WebAuthn became an official web standard in March 2019, User authentication by username and password is still the and several browsers (e.g., Google Chrome, Mozilla Firefox, most dominant method on the Internet and remote authentica- and Microsoft Edge) support it already. tion in general. However, password-based authentication has many usability and security flaws, and researchers and practi- FIDO2 promises a largely improved authentication experi- tioners have been discouraging from using it for decades [5]. ence and is backed by several big companies, like the Alibaba On the Internet, passwords are prone to phishing attacks. Group, Amazon, Apple, Facebook, and Google. Thus, it is very interesting to understand the likely impact it can have in practice, including aspects of deployment and usability. In this work, we present our experience with deploying FIDO2 in the context of a company. We report on a four-week evaluation phase in which we accompanied the deployment in Copyright is held by the author/owner. Permission to make digital or hard a life sciences company. Eight voluntary participants used a copies of all or part of this work for personal or classroom use is granted FIDO2-based authentication scheme on a daily basis and kept without fee. USENIX Symposium on Usable Privacy and Security (SOUPS) 2020. login diaries, which we combined with server logs, a survey, August 9–11, 2020, Virtual Conference. and semi-structured interviews after the four weeks.
To use the FIDO2-based authentication method, we gave 2 Background the participants security keys (USB-based hardware tokens) and guided them through the setup. The security keys could The FIDO2 project has a more general and thus flexible be used as a full-fledged alternative to username and password approach to user authentication than its predecessor, the in one of the company’s software products. We used security Universal 2nd Factor (U2F) standard, and other authentica- keys because they are relatively inexpensive and were com- tion schemes. Compared to other 2FA/multi-factor authen- patible with all computers the participants used at work. In tication (MFA) approaches, the advantages of FIDO2 are particular, we were interested in: (i) growing support by all major browser and operating sys- • How do users behave when they have a security key as tem vendors, (ii) open and standardized protocols, (iii) mak- an authentication alternative to username and password ing authentication via username and password not mandatory and not only as a second factor? (although it is still possible), and (iv) building upon vetted • Do users use the security key in their daily routine? asymmetric cryptographic principles and algorithms. • What differences do users identify between the authen- The FIDO2 project consists of the WebAuthn specifica- tication schemes, especially do they perceive the new tion of the W3C [4] and the Client to Authenticator Proto- method as more secure? col (CTAP) defined by the FIDO Alliance [6]. FIDO2 allows • What advances or hinders the adoption of the new secu- abstracting from the actual authenticator (e.g., a hardware rity key-based mechanism? token). Thus, the Relying Party (e.g., a web server) does not require knowledge about the implementation details of the We learned that even though the participants liked using authenticator. Figure 1 depicts the interplay of CTAP2 and the security key-based authentication scheme, they tended WebAuthn as we used it in our study. to fall back to username and password. On the one hand, WebAuthn specifies a standardized, browser-independent this is because participants do not want to abandon a habit JavaScript API that allows web services to interact with all when there is no apparent necessity in doing so. On the sorts of facilities. Through this API, web services can imple- other hand, they fear to lock themselves out when losing or ment user authentication in a way that is resilient to phishing, breaking the security key. Participants who use a password password theft, and replay attacks. Instead of relying on manager with an auto-fill feature of a web browser also report shared secrets like passwords, public-key cryptography is that the authentication with the security key takes longer in used to create unique credentials for every web service and comparison. In contrast, the participants assumed that the only generated and stored on the client’s device. keys were providing a better security level, although they did On the other hand, CTAP2 governs the communication not fully comprehend the authentication procedure’s technical between external authenticators and web browsers or other details. applications supporting WebAuthn. The proposed CTAP stan- Our qualitative study is a first attempt to explore FIDO2 in dard comprises two protocol versions – CTAP1, the protocol a business environment and sheds light on which problems used for U2F, and CTAP2 a new protocol used for WebAuthn. arise when deploying FIDO2. In summary, we make the At the time of the study, implementations for the operating following key contributions: systems Android and Windows 10 were available. • We explore a passwordless web authentication scheme The FIDO Alliance uses the term “passwordless” to de- rolled out as the first authentication factor in a real-world scribe single-factor authentication and multi-factor authenti- application. cation with an authenticator or with an authenticator and a • We provide insights into the daily usage of security keys personal identification number (PIN) or biometric. While it is in a company environment over four weeks by combin- easy to agree with, for example, hardware tokens as a single ing login diaries, server logs, and interviews. The data factor being passwordless, this is not inevitably the case if indicate that participants liked the passwordless authen- additionally a PIN is used as a second factor. Although simi- tication scheme because of its simple usage, yet from lar to a password, a FIDO2 PIN has some notable differences the users’ perspective, there is no clear advantage over compared to passwords in the context of web authentication: password-based authentication. The positive impression • No shared secret has to be entered, sent over network, of the security keys is less pronounced if participants or store on the server-side. Phishing attempts and data previously used password managers that already limit breaches do not affect the authenticity of the credentials. some negative aspects of password-based authentication. • A single PIN unlocks the authenticator and all account • Analyzing the participants’ feedback, we identify a set credentials registered with the device. There is no need of adoption barriers, including the fear of getting locked to set a unique password for every web service. out, a cumbersome integration of the security keys in the • Guessing or brute-forcing the PIN is limited to eight work environment, and the general routine in using pass- consecutive attempts. Reaching this limit resets the au- words. Those barriers should be minimized before intro- thenticator to factory settings, effectively invalidating all ducing new security measures in work environments. generated credentials [6].
Figure 1: Communication via FIDO2. The cryptographic authenticator and the client communicate via USB using CTAP2. The client’s browser implements the JavaScript-based Web Authentication API to communicate with the server over the network. 3 Methods Following tracekey’s three-week release cycles, the secu- rity key-based authentication method was developed on an Our study’s primary goal was to gain insights into the usabil- internal test server and pushed to the public test and validation ity, user perception, and barriers or facilitators for the adoption server before the study started. The test server was accessed of FIDO2. To increase ecological validity, we conducted the regularly by tracekey employees and customers. Due to a study on a web application in a small software company in delay in the release process, the new authentication method the life sciences industry. We collected and analyzed quali- was available on the production server only in the last week tative data in the form of login diaries and semi-structured of the study (see Section 5.5). interviews, but also quantitative data in the form of server The participants used two variants of FIDO2-compliant logs. hardware tokens, the Security Key by Yubico and YubiKey 5 NFC, both from Yubico [30]. Both variants had the same form factor and supported WebAuthn, CTAP, and U2F. YubiKey 3.1 Study Environment 5 NFC offered additional features (e.g., support for OTP algo- rithms, OpenPGP, etc.) and could also be used via NFC. We We conducted our study at tracekey solutions GmbH,1 a small did not require any of the additional features so that both key software company from Bochum (Germany). As a software- variants could be used in the same way. as-a-service provider, they develop and operate a product serialization service for small and medium-sized businesses 3.1.1 Recruitment in the pharmaceutical industry. The service offers a solution to fulfill the traceability requirements of this industry [12]. We asked all employees who were eligible for our study (i.e., The service includes a web application that requires cus- having accounts on both the public test server and the produc- tomers and employees to authenticate with a username and tion server, using the web application on a daily basis, and password. For our study, we extended the existing login form being available at the time of the study). We invited the 10 em- and authentication back end and added a new login option ployees who fulfilled these criteria to an in-house workshop, using WebAuthn with a roaming hardware token. in which 9 attended. During the training session, we briefed We decided only to allow PIN-protected security keys (in the attendees about the purpose of the study, the procedure, contrast to Lyastani et al. [17]) because some participants risks and benefits, and the option to withdraw from the study occasionally worked remotely, and losing the security key at any time without penalty. We asked them to read and sign a was a realistic scenario. However, this may have reduced consent form containing the same information. Participation the comfort of using the key (see Section 4.3). The company was voluntary and uncompensated since they took part in the had an authentication policy for its software that required study during working hours. re-authentication after 30 minutes of inactivity. Due to this We informed the participants about the required operating policy, we did not consider adopting a “remember me” option, system and browser version. The minimum requirement was which does not ask the user to authenticate for a particular Microsoft Windows 10 version 1903 because it implemented time after a successful login on a device. We did not imple- CTAP2 in Windows Hello. The participants used Mozilla ment any fallback authentication procedure for the security Firefox, Microsoft Edge, and Google Chrome. Of those three, key because the participants could still use their passwords, only the stable version of Chrome did not support Windows and manual account recovery was also a viable option. Hello at the time of the study. We asked participants who used Google Chrome to switch to one of the other browsers 1 https://www.tracekey.com/, as of April 30, 2020 or the beta version of Google Chrome.
3.1.2 Implementation It is important to highlight that we are specifically targeting a corporate context, where such training sessions are relatively We used a server-side WebAuthn library provided by Yubico common. This situation is very different from introducing to implement the new FIDO2-based authentication. This WebAuthn to consumers. library was integrated because the Spring Security framework After the training session, participants were handed the used by the web application did not support WebAuthn at the security keys and asked to set up the key on their work laptop time of the study. computer and one of their accounts in the web application. To implement the login, we used the resident credential Since most of the participants had multiple accounts for the feature of FIDO2. This feature allows storing credential infor- web application, we encouraged them to register it with addi- mation like the username and private key on any authenticator tional frequently used accounts and assisted them if necessary. with built-in memory. The participants did not need to enter At the end of the workshop, participants filled in a question- their username because of this feature. naire in which we gathered demographic data and feedback In addition to this, we redesigned the login screen of the on the user interface and workflow of the implementation. We web application (see Step 1 of Figure 2) to present both login were especially interested in participants’ knowledge about methods (i.e., WebAuthn with security key and username and web authentication and used a modified version of the web- password). We decided to display both options on the same use skill index of Hargittai and Hsieh [14] for this purpose, website to allow participants to choose between them without focusing on authentication-related terms. We also gathered additional clicking on the website. free-text responses about the participants’ experiences with security keys and 2FA, and asked them to explain how a 3.1.3 Data Preparation security key may improve the security of their account. At that time of the study, not all browsers stable versions supported the WebAuthn options used by our FIDO2-based 3.2.2 Authentication Diary authentication like user verification (i.e., via PIN) and res- ident keys (i.e., the username is chosen from a list instead Over the next four weeks, the participants’ task was to use of manually entered). Thus, most WebAuthn related errors the security key in their work routine. Additionally, we en- could be attributed to the use of an unsupported browser. couraged them to keep an authentication dairy in which they We removed entries of accounts without a registered se- noted all logins over the first two days, and later only their curity key from the logs before the analysis, leaving logs failed login attempts. We adapted the diary from the work of containing entries of study participants or failed logins, which Steves et al. [26]. Each diary entry comprised authentication we could not attribute. The information provided by the times- time and date, on which server the participant tried to log tamps of each login attempt was used to calculate average in (e.g., the public test server) and whether the participants authentication times for the different login types aggregated used the security key or username and password. They could across all participants (see Figure 4). also rate their satisfaction with the login on a five-item emoji- based scale we adapted from previous work [2, 20]. Despite their potential drawbacks (e.g., varying representations of the 3.2 Study Protocol same emotion [19]), emojis were found to be well suited for The study was conducted over six-week in June/July 2019 and affective self-reports of participants [28]. Furthermore, each was framed as a usability study on security keys. It consisted diary entry had a section for errors and comments. of three phases. The first phase was a workshop in which we To enrich the authentication diaries and to get insights into briefed the participants on using the security key. It followed how long it took the participants to authenticate, we also col- a four-week phase of day-to-day use of the security key during lected the timings of each login from the server logs. Each log which we collected data via authentication diaries and server entry contained multiple timestamps, username, user agent, logs. Finally, we interviewed the participants to discuss their WebAuthn-related information (e.g., the WebAuthn creden- experience using the security key and debrief them. tial ID or the WebAuthn error message), and information about the login’s success or failure. Especially in the case of failed login attempts, the logs provided additional insights. 3.2.1 Initial Workshop We started the study with a one-hour workshop. During this 3.2.3 Interview workshop, we first introduced the study as well as its purpose. We gave all participants consent forms, which also contained After the four-week usage phase, we invited the participants information about our study and their participation, and let to interviews. The interviews took place in a conference room them read and sign the form. A fifteen-minute training session in the company, and each session lasted 15 to 20 minutes. introduced the security key, demonstrated the setup and use All but one participant were German native speakers, and we of the key, and showcased the user interfaces of each phase. conducted seven interviews in German and one in English.
1) Visit Website A2) Insert Key A3) Enter PIN A4) Touch Key A5) Select Account WebAuthn Security Key or Password Auto-Fill 1) Visit Website B2) Click Username B3) Select Account B4) Click Login Figure 2: Comparison of the login procedures when using WebAuthn with a security key (top) vs. the browser’s password auto-fill feature (bottom). The dashed borders are indicating omitted steps. If the security key is already plugged-in, the dialog in Step A2 does not show up. Having only one account stored on the key or in the browser, skips steps A5, B2, and B3. The interviews were semi-structured and addressed the per- They then compared the categories and themes across all in- ceived usability of the security key, the differences between terviews and created codes. A third researcher merged the the key-based and password-based authentication, and the themes and codes, derived a final codebook, and used it to obstacles in using the key. Our goal was to examine why code all interviews again. The full codebook is presented in participants used the security key and what kept them from Appendix B. using it. The participants were also asked which of the two login methods they perceived as more secure. 3.3 Demographics We started each interview with a question about how they liked using the security key. The participants’ answers gave Since we conducted our study in a small company, the partic- us insights into their general impression of the security key ipants had different backgrounds and positions. They were and their experience of using it. We then asked them how software developers, sales representatives, or project man- frequently they used the web application and how often they agers. One-third of the participants were female (3 out of 9) used the key over the last four weeks. The participants were and the other two-thirds were male. The participants were 22– also asked to describe the difference between username pass- 44 years old (mean: 30, SD: 6.3). Five (out of 9) participants word and security keys. If they mentioned 2FA, we let them had completed a master’s degree, one holds a bachelor’s de- explain what 2FA is and what the two factors are. gree, and two had studied at a university without completing a Additionally, we asked them to share their thoughts on degree. One had completed a vocational training. All but one which authentication method is more secure and their ratio- of the 9 people who attended the workshop completed the full study. The person who dropped out was on vacation during nales. The full interview guide can be found in Appendix A.2. the second phase of the study and could not use the security In contrast to password-based authentication, our posses- key. Nevertheless, we included this person’s feedback from sion-based method required the user to have the security key the workshop in our evaluation. with them. Thus, we wanted to know how hard it was to have the key at hand for the participants since this was the most obvious hurdle. However, we encouraged them to tell Web Authentication Skills us about other obstacles they encountered as well. Finally, we To examine the participants’ knowledge about web authenti- asked them whether they would use the key in the future and cation, we adjusted the Web-use Skill Measure [14] to focus for the reasons for their decision. on web authentication, resulting in a skill survey containing To analyze the interviews, we used a data-driven coding ten authentication-related terms. We selected surveyed items technique (as described in [10]). Two researchers indepen- from security awareness trainings, education materials, and dently coded all interviews through categorizing participant infographics, including the NCSC glossary [22]. Table 1 statements and identify recurring themes in each interview. shows the mean and standard deviation for all ten items.
Table 1: Web authentication skills are determined by rating 4 Results the understanding of ten authentication-related items. The items are in the order of appearance in the questionnaire. Next, we present and discuss the results of our study. We evaluate the data we gathered through login diaries, server Item Mean SD logs, and interviews. Malware 3.1 0.74 Phishing 3.3 0.94 4.1 Frequency of Authentication Two-factor authentication 3.4 0.69 One-time password 2.5 1.26 Among the participants, the number of logins per day varied. Personal identification number 4.2 0.63 Some participants logged into the web application multiple Auto-fill 3.2 1.55 times a day, while others only used it once a week or less. Fig- Challenge-response 1.8 1.23 ure 3 shows how often the participants used the security key Password manager 3.9 0.99 over the four weeks of the study broken down by participant Brute-force attack 2.4 1.43 and week of the study. Security question 4.0 0.82 Composite score 3.2 0.73 N 9 Scale 5-point Cronbach’s α 0.89 The standard deviations were higher for items with a lower level of understanding (e.g., One-Time Password) than for items with a “high-level” understanding (e.g., personal identi- fication number). These low-level items refer to more tech- nical aspects of authentication. In contrast to the results ob- tained by Hargittai and Hsieh [14], our participants showed a higher understanding of the medium-level rated terms Mal- ware and Phishing, indicating that the participants had an excellent understanding of authentication-related risks. A composite score of 3.2 indicates that the level of understand- Figure 3: Breakdown of the number of authentications with ing lay between “some” and “good” understanding. the security key per participant and week. Except for partici- A Cronbach’s α value of 0.89 as an estimate of the inter- pant P8, all participants used the security key only occasion- relatedness of items and internal consistency of the survey ally. can be considered good, almost excellent. Due to the small sample size, statistical evidence is limited. However, the re- The reason for this discrepancy is that we conducted our sults met our expectations because all participants worked in study on the public test and evaluation server of the web a software company and reported to be tech-savvy. application, which all the participants use but less often than the production server (see Section 5.5). We analyzed the server logs to gain insight into how often the participants used security keys. Table 2 presents a detailed breakdown of how 3.4 Ethics many times the participants logged into the web application during the four weeks of the study. Our institution did not have a review board governing this For our analysis of the server logs, we filtered all log en- type of study, so we discussed the study design with peers tries in which the WebAuthn method or the usernames of our to validate our research’s ethical perspective. We made sure participants were involved. After the filtering, we had 287 to minimize any potential adverse effects from the study by unique logins attempts over the four weeks. Surprisingly, following the ethical principles laid out in the Belmont re- only 67 (23.4 %) of these login attempts used a security key port [21]. These principles included having an informed con- while 141 of the remaining 220 login attempts used browser sent procedure at the beginning of the study and explaining auto-fill (i.e., browser password manager). We discuss this to the participants that they could withdraw from the study discrepancy in the number of logins in Section 4.4 in more without any negative consequences. detail.
Table 2: Breakdown of successful authentications per ac- Our warm-up question in the interviews was how they count, participant, and authentication method. Most of the liked using the security key. Four participants appeared to be participants registered their security keys for at least two ac- pleased about using the security key since they described the counts. Four participant pairs shared five accounts; for these key as easy to use and its handling as intuitive. One participant accounts, we cannot distinguish which login belongs to which was even enthusiastic when talking about impressions of the participant. Manual logins contain all login attempts for security key. which the participants typed in the username and password manually or copied them from an external password man- P2: “I don’t need to remember anything. It’s also ager/storage. faster, I am completely convinced. I think it’s ter- rific.” Number of Authentication The four other participants started referring to minor issues Security Password Manual which occurred when they used the key (e.g., being annoyed Account IDs Key Auto-fill Logins Total by touching the key because “it is on the other side of the A1 P1 4 7 10 21 desk” (P7)), two of which still rated its usage to be overall A2 P1, P3 2 3 4 9 “ok” (P3, P5). The remaining two participants stated they did A3 P2 1 0 0 1 not use the key as often as intended and did not provide a A4 P2 2 1 0 3 clear judgment. A5 P2 1 9 7 17 A6 P2, P4 2 33 3 38 4.3 Authentication Timings and Convenience A7 P2, P4 5 30 2 37 A8 P3 2 4 5 11 During the interviews, the participants revealed that their A9 P3 2 0 1 3 convenience in authenticating varied in many aspects. In A10 P3 1 2 3 6 particular, their feedback on convenience using the security A11 P3 1 4 13 18 key highly depended on how they managed their password- A12 P3, P4 9 6 12 27 based credentials since this was their ground truth against A13 P5 0 20 2 22 which they compared the new method. A14 P5 5 6 8 19 We encountered three different ways of managing pass- A15 P6 4 9 3 16 words: (i) The employees used a collaboration software where A16 P6, P8 3 5 2 10 they stored their shared credentials and copy-and-pasted them A17 P7 2 0 3 5 into the respective login website, (ii) they saved their pass- A18 P8 21 2 1 24 words using a third-party password manager software, or (iii) they used the browser’s built-in password manager. Total 67 141 79 287 Five participants (P1, P2, P4, P5, P8) mentioned that the security key reduced the memory effort because they only needed to remember one PIN. Two participants who manually To analyze login attempts with security key, we used the copy-and-pasted passwords (P2, P3) stated that using the authentication diaries and the interviews. Participant P1 faced security key was faster than entering username and password. a problem where the touch sensor of the security key (see A4) Touch key in Figure 2) did not work at first, so he needed P2: “[...] but it is much more convenient if you can multiple tries until the login was successful. Participant P8 simply use this key, push it, enter your 4-digit PIN reported a similar problem. In this case, the software detected instead of your 12-character password [...]. It is the security only after plugging it in again. Figure 2 shows also faster like this.” the respective step labeled A2) Search/insert key. The other six participants reported no security key-related problems. In contrast to these two participants, five participants used browser built-in password managers with a password auto- 4.2 General Impressions fill feature and stated that the authentication with auto-fill required fewer steps than using the security key (P4, P6, P7) We started the interviews asking by participants about their or was faster (P5, P6, P7, P8). The timings we extracted from general impressions using the security key over the four-week the server logs support their statements. We measured the study period. The themes we found in our analysis of the in- time starting when the login website was fully loaded and terviews resulted in five categories of codes (cf. Appendix B): ending when the login form was submitted to the server for (i) Use of the security key, (ii) comparison of the security key each authentication attempt. Figure 4 presents the timings of with username and password, (iii) adoption barriers, (iv) gen- the different login variants. It shows that the security key was eral impression, and (v) perceived security. slower than the password auto-fill feature of a browser.
For authentication attempts using the security key, we could Another participant referred to the use of the 2FA-protected not determine whether the measured times include the time third-party password manager and preferred using the security to reach for and plug in the security key or if it were already key because it was less cumbersome. plugged in before plugged in before. We expect our result set to comprise both scenarios. However, since we consider P5: “In comparison I think that the key is more physical interactions with the security key part of the authen- user-friendly, it requires less effort than invoking tication ceremony, our results provide a best-case estimate. If both WinAuth and KeePass.” the measured times had not included preparing the key, the gap compared to the password auto-fill timings would have become even larger. 4.4 Weighing Security and Purposes Figure 2 illustrates the steps required to log in with the key compared to the browser’s auto-fill feature. Using the During the interviews, participants indicated awareness of security key requires three steps in a best-case scenario. This different security requirements for different services. We scenario requires that the key is already plugged into the unveiled such tendencies when asking participants about the computer (Step A2), only the security key is configured for purposes they had used the security key for. Getting a full Windows Hello (Step A2), and only one account is registered view is a two-step process since we also needed to capture for the key (Step A5). The three steps are (i) clicking the how the participants estimated the security of the available login button beneath the security key symbol (see Step 1), authentication options. (ii) entering the PIN of the security key as shown in Step A3), and (iii) touching the key (see Step A4). In contrast, the credential auto-fill via browser requires 4.4.1 Security of Authentication Schemes at best (with only one username-password pair stored in the browser for the website) one click on the login button, as While six participants (P3–P8) rated the security key as more shown in Step B4. Otherwise, the user needs to click the text secure than the password-based authentication schemes, par- field for the username (Step B2) and select the desired account ticipant P1 guessed that the password copy-and-paste mecha- (Step B3). In both cases, the auto-fill procedure requires fewer nism is presumably more secure than the security key. How- steps and no physical interaction with additional hardware, ever, he mentioned the risk of losing the key and, conse- which explains why it is the faster authentication procedure. quently, becoming unavailable to log in, as a reason for the key’s reduced level of security. P1: “I guess you can use such a security key, and how do you log in if you don’t have it? [...] So, I believe the standard way [i.e., using passwords] is maybe more secure? Well, I’m not sure if it’s ‘more secure’ but I can log in in any case [...]” Another participant stated that the security offered a good security level but refrained from deeming one scheme more secure than another. Participants P2, P5, and P8 explained that Figure 4: Authentication timings for different login vari- the security of the key-based authentication is more secure ants. The time spent by participants to authenticate varies because it relies on “two factors”, i.e., possession of the key depending on the login type used. (N denotes the mean.) and knowing the correct PIN. Furthermore, participant P5 elaborated his understanding of how the security key works, Participant P4 provided the most differentiated feedback, alleging that the passwords are stored on the key. taking into account both manually copying and pasting pass- words as well as using the browser’s password manager when P5: “It is secure, if I understand correctly, because assessing the convenience using the security key. the passwords are stored on the key and, therefore, P4: “I already have the passwords saved in my are not affected if I have a compromised machine Edge account for all different accounts. So that [...]” was more convenient for me because it’s hardly one click [...] Even if I save something in the browser, it Even though this explanation is not correct from a technical will work that way as well but if you use the security perspective, the idea of P5 can give non-expert users some key it will definitely [be] time saving as well [...].” useful intuition why the key is more secure than passwords.
4.4.2 Use of the Security Key The time factor was not only important for authentication, two participants (P5, P6) also mentioned that they needed to In total, three participants talked about different security re- invest time (“5–10 minutes”) to set up the key for an account, quirements depending on a service’s purpose. Two partici- which implies that even comparably small amounts of time pants named online banking (P6, P7), another authentication can be an adoption hurdle. at work (P5) as use cases that require a higher level of security. When asked whether they want to keep using the key after P6: “There is this small initial effort you need to the study, four participants signaled willingness (P2, P3, P4, find five to ten minutes for.” P8), two were not sure (P5, P6), and two did not want to use the key in the future (P1, P7). Opinions of those who could Besides the time aspects, participants’ feedback from the imagine continuing using the key ranged from plain approvals interviews unveiled further details about additional obstacles (P2, P8: “yes”) to readiness to use the key exclusively if the towards the adoption of the security key. working environment supported this: 4.5.1 Fallback Authentication P3: “Yes, and if it would work with the production server, I would work exclusively using the key.” Several participants expressed concerns about not being able to log in if they do not carry their keys (P2, P3) or even lose However, participants revealed different opinions on ex- them (P1). Participant P3 further mentioned a potential risk of tending the use to personal accounts. While one participant technical flaws, hampering the ability to log in. The majority claimed willingness to use the key for personal purposes (P2), of participants had no problems with carrying the key, e.g., two participants stated that they would not use a security key by attaching it to their key rings. off the job. While P4 stated to use a password manager for personal P6: “I have it on my [...] key ring. Thus, I have it accounts, P7 unambiguously explained that the additional with me all the time.” time required to use the key compared to a password manager is an unacceptable trade-off in everyday use. However, this was not a proper solution for every partici- pant. P7 explicitly deemed this a disadvantage and suggested P7: “In the time it takes to dig it up, plug it in, enter providing a solution to attach the key to a smartphone. the PIN, and push it – I could have already bought two pairs of shoes.” P7: “That’s cumbersome, and I also have quite few keys, and I don’t want to plug them all in.” Another participant remained rather indecisive when asked about using the key for personal use, due to the additional Potential problems about handling the key were also men- overhead compared to the use of a password manager. tioned by another participant (P2), who feared to destroy the key due to its tiny size and shakiness when plugged in and P8: “When you have stored your passwords in your suggested a more sturdy design. browser, it is still faster than picking the key, plug- These answers show that participants’ views were not lim- ging it in and entering the PIN.” ited to the scope of the study but also widened for the security key’s general use as a single first authentication factor. Not being able to log in due to losing the key was not a real risk 4.5 Adoption Barriers in our scenario since participants could always choose be- The authentication diaries and responses in the interviews tween password-based and key-based authentication during show that usage rates of the security key were rather low the study. (see Section 4.1), so we asked the participants what prevented them from using the security key in particular situations. They 4.5.2 Workflow and Environment reported several hurdles when using the key, e.g., the fear of losing access to their accounts, the additional effort/time The workflow of the authentication or the work environment required to plug the key in or unlock it, and the habitual use can also be an adoption barrier. As discussed in Section 4.3, of passwords. the security key requires more interactions for each authenti- Participants P5 and P7 mentioned that the additional effort cation. Participant P6 explicitly mentioned the higher click- and time to interact with the key makes it less convenient than count when using the security key (i.e., the Windows Hello authenticating with username and password. user interface) compared to entering the username and pass- word or using the browser’s password manager. P5: “Well, it would start to make a real difference if I didn’t have to enter anything at all but only had P6: “The workflow needs to be simple. Like even to touch the key.” faster. Fewer clicks.”
Another participant saw the account selection of Windows However, our analysis of the interviews and authentication Hello as a hurdle for adoption. dairies identified three problem areas unique to or more im- portant for the security key as a primary authentication factor: P1: “I have 40 accounts or so. When I register the (i) concerns about account recovery in case of key loss or key for all of them and I want to log in then, I need defect, (ii) having a more complex and possibly slower au- to scroll through all of them [...] That’s a little bit thentication process, and (iii) security benefits are intangible. time-consuming.” Losing access to the account through defect or loss of the Two participants indicated that the characteristics of their security key is the primary concern for users, especially if work environment made it more challenging to integrate the it is the only way to authenticate. A possible solution to key into their routines. For instance, picking an account to this problem is registering multiple security keys for one log in when multiple accounts were used on the same website, account, but this seems to be an additional burden to the since the names of all accounts followed a naming convention users. Another option is using username and password as made them very similar. fallback authentication, but this nullifies the security benefits of FIDO2. The question of how to realize secure fallback P3: “I cannot see at first sight to which account authentication for FIDO2 is still open for future research. [the username] actually belongs.” The differences in the timings between the security key and other login methods, as indicated in Figure 4 and also Similar, another participant denoted that the login is slightly mentioned by multiple participants, needs to be tested with a different depending on the operating system and browser (here larger sample. Other authenticators could make “password- Windows 10 version 1903 and Google Chrome 76). less” FIDO2-based authentication faster and less complex. P6: “[...] on my computer the Windows update has Even though most participants found the security key to not been rolled out yet, so, I could not use Firefox be more secure than username and password, the reasons [...] and [in the other browser] I need to click three why the key was, in fact, more secure were hard to grasp for times and touch [the key] twice to log in.” them. More research on how to explain the security benefits of FIDO2-based authentication schemes is needed. In the 4.5.3 Routine in using Passwords following, we discuss our results using the three categories to assess authentication schemes proposed by Bonneau et al. [5]. Considering aspects of introducing and integrating new secu- rity measures into a well-functioning working environment raises questions about how to overcome long-established secu- 5.1 Usability rity behaviors. Participant P7, who showed a generally rather Our study indicates that the security key is usable in the sense reserved attitude towards using the security key, remarked that all the participants understood how to use the key cor- that routine in handling passwords was a reason not to use rectly and comprehended the on-screen instructions. The the security key for authentication, especially in cases when problems the participants encountered were rare, and they something needed to be checked quickly. could solve all of them. P7: “It was not an active decision [to use the pass- Authentication times appeared to be more of a limiting word], but rather a situation when I just had to get factor. Using the browser’s auto-fill feature was the fastest things done. [...] I’m just used to it, because I know authentication method in our scenario. Even “manual logins” the password for this application. [...] It’s like an (e.g., copy and paste the password) may be faster than using addiction. You still use the password after all.” the security key. This speed difference may be one of the primary adoption barriers. This statement suggests that deeply ingrained security habits The level of routine and habituation users developed with cannot be challenged, let alone be replaced easily, not within passwords is high. Some interview statements implied that the four weeks of our study. password-based authentication does not necessarily induce friction but works as an unconscious background process that 5 Discussion makes it more challenging to get used to a new scheme like the security key. Protecting the key with a PIN also undermines In contrast to prior work investigating security keys in the its benefit of allowing “passwordless” authentication. context of 2FA [8, 9, 15, 16, 24], we focused on a secure au- Physical aspects and related handling of the key could also thentication scheme without username and password. From a be an obstacle. Actions like carrying the security key around, user perspective, the difference is to have a new authentica- e.g., by attaching it to a key ring, inserting it, or touching tion scheme instead of adding steps to a well-known one. The its button were a hurdle for some participants. However, the resulting process still suffers from similar issues, as found by degree of inconvenience appears to depend highly on the studies on security keys in a 2FA context [8, 16]. user’s perception and predispositions.
5.2 Deployability 5.5 Limitations WebAuthn support, while increasing, is the biggest deploy- Due to the qualitative nature of the study and the small sample ment issue. This lack of support comprises operating systems, size, it can only provide a first insight into “passwordless” au- browsers, but also software frameworks to ease integration. thentication with security keys. Our results may not apply to Only recent versions of operating systems and browsers work a broader population but indicate potential interesting topics with all WebAuthn features, thus requiring web service own- and raise new research questions. ers to offer alternative authentication schemes and show ap- We deployed the new authentication method on a public test propriate error messages in case of unsupported operations. server for our study. Although all participants had access to Missing best practices on login form design for WebAuthn- the server and user accounts on it, half of them (4 participants) based authentication hinders a consistent user experience mentioned in the interviews that they used the test server less across different web services. While a typical design has often than the production system. The low use of the key emerged for password-based login forms over time, there is affected how the participants used the security key and might no such design for WebAuthn. Research on the impact of have had an impact on the perceived usefulness of it. such forms is scarce. On the other hand, direct costs for hardware or support 6 Related Work and indirect costs through lost productivity are negligible. In a company with tech-savvy personnel, the expense for the The FIDO2 project has not been around for a long time, which adoption of a security key-based authentication (not including is why research in this specific area is limited. Most related implementation) should not be too high. As Lang et al. [16] to our study is the work by Lyastani et al. [17], as it does showed with a predecessor of U2F and thus FIDO2, the same investigate the use of tokens for primary authentication in the can be true for large companies. context of FIDO2. Lyastani et al. [17] conducted a lab study with end-users to get insights into the perception, acceptance, and concerns when security keys are used for passwordless 5.3 (Perceived) Security authentication. Their results conform to ours in terms of Security is only secondary to usability when choosing an a mixed impression with an overall positive impression of authentication scheme in daily work life. If security is not token-based authentication but also the fear of the participants promoted as an essential part of work instead of being just an to lose the token locking themselves out. obstacle to other tasks, that fact remains [11]. In contrast to Lyastani et al. [17], we implemented the The benefits of the security key, especially when it requires token-based authentication in combination with a PIN be- a PIN, need to be conveyed clearly. While creating risk aware- cause it counteracts one of the disadvantages the participants ness helps users to make informed decisions, reminding users in the study by Lyastani et al. [17] mentioned, namely, the risk of the benefits provided by a scheme seems to be even more of illegal access when the authenticator is lost. However, this promising [9]. combination made the workflow more complex, which again can impede adopting the key. Additionally, we concentrate on the long-term and real-world impact of using token-based 5.4 Overcome Adoption Barriers authentication in a corporate context. Through this different focus in the study, we saw that overcoming the routine users We think that the FIDO2 project can replace password-based gained in using passwords as an additional adoption barrier. authentication on the Web in the long run. However, at the Besides FIDO2, Pico, proposed by Stajano [25], is an- moment, only a few applications or Internet services sup- other example of a token-based login method. In a study by port FIDO2-based authentication, which impedes its adoption, Aebischer et al. [1], users appreciated the ability to avoid pass- and the lack of reference implementations of the WebAuthn words because of the known drawbacks, but adoption was server-side hinders its integration. These obstacles will proba- still identified as a problem as users prefer to stick to the fa- bly resolve over time. To overcome some of the other adaption miliar password-based authentication. We observed a similar barriers we found, we have the following suggestions: phenomenon, among the participants who used a password • Support multiple different authenticators (platform and manager. Although they were convinced that the security roaming authenticators if possible); key-based solution was more secure, but they preferred the • Require adaption of the security key in organizations (as password managers because they were fast. suggested by Colnago et al. [8] for 2FA); While we are interested in hardware tokens as a first factor, • Make FIDO2-based authentication available for as many research into 2FA is also related to our work as it gives impor- systems as possible tant insights into the use of tokens for authentication. Despite • For PIN-protected security keys, allow to “remember” what factor is used, the initial setup of an additional second the PIN until the key is unplugged. factor is one of the major issues for most users [7, 15, 23, 24].
A corporate context – in which we were interested in this Acknowledgments study – allows counteracting this problem by offering cus- tomized guidance for the setup phase. Because of this, we The authors would like to thank tracekey solutions GmbH for walked the participants through the initial steps. allowing them to conduct a study in their company and provid- Studies by Das et al. [9] and Ciolino et al. [7] further ana- ing the necessary software and hardware. This research was lyzed why users decide not to use 2FA security keys. They partially funded by the MKW-NRW research training groups found two main reasons: (i) Users are afraid of losing their SecHuman, “Human Centered Systems Security” sponsored key locking themselves out and (ii) some users also do not by the state of North Rhine-Westphalia, Germany, and the fear an account takeover, which is why they see no necessity German Research Foundation (DFG) within the framework for the additional effort associated with the use of a security of the Excellence Strategy of the Federal Government and the key. These findings are supported by adoption rates reported States – EXC2092 CASA – 390781972. by Google with less than 10 % of active Google accounts having 2FA enabled [18]. While these findings are relevant References for the end-user, the situation in a corporate context is differ- ent. Here, the motivation to use security keys is driven by [1] Seb Aebischer, Claudio Dettoni, Graeme Craig Jenk- the company, and using them can be made mandatory for the inson, Katarzyna Kinga Krol, David Llewellyn-Jones, employees. Toshiyuki Masui, and Francesco Mario Stajano. Pico in Furthermore, it was found that users have an overall pos- the Wild: Replacing Passwords, One Site at a Time. In itive attitude towards security keys once they are in place European Workshop on Usable Security, EuroUSEC ’16, as a second factor. [7, 9, 24]. They are seen as easy to use Paris, France, April 2017. ISOC. and increase the perceived security [8, 16]. We come to a [2] Sarah Alismail and Hengwei Zhang. The Use of Emoji similar conclusion for the case when security keys are used as in Electronic User Experience Questionnaire: An Ex- a primary factor. Regarding the timing of security key-based ploratory Case Study. In Hawaii International Confer- logins, Reese et al. [23] found that login times decrease the ence on System Sciences, HICSS ’18, Waikoloa Village, longer and the more often security keys are used. Some partic- Hawaii, USA, January 2018. ACM. ipants also mentioned the fast authentication time, yet some abandoned the security keys in favor of a password manager [3] Anti-Phishing Working Group. Phishing At- because it allows an even more efficient authentication. tack Trends Report – 2Q 2018, October 2018. https://docs.apwg.org/reports/apwg_trends_ report_q2_2018.pdf, as of April 30, 2020. 7 Conclusion [4] Dirk Balfanz, James C. Jones, Akshay Kumar, Huakai Liao, Jeff Hodges, Emil Lundberg, Czeskis Alexei, Rolf We conducted a qualitative study on the usability of FIDO2, Lindemann, and Michael Jones. Web Authentication: using USB-based hardware tokens in the form of security keys An API for accessing Public Key Credentials Level 1. in the context of a small company. The core components of Recommendation REC-webauthn-1-20190304, World FIDO2 – WebAuthn and CTAP – offer promising alternatives Wide Web Consortium, March 2019. to the dominant username-password scheme used for web au- thentication. FIDO2 security keys present a phishing-resistant [5] Joseph Bonneau, Cormac Herley, Paul C. Van Oorschot, form of hardware tokens suited as the primary authentication and Frank Stajano. The Quest to Replace Passwords: A factor for web applications. Framework for Comparative Evaluation of Web Authen- In contrast to previous work on authentication via security tication Schemes. In IEEE Symposium on Security and keys, we focused on using the key as a primary authentication Privacy, SP ’12, pages 553–567, San Jose, California, factor instead of having it as an additional factor in a 2FA USA, May 2012. IEEE. setting. Although most participants considered the security [6] Christiaan Brand, Alexei Czeskis, Jakob Ehrensvärd, key-based login as usable, several of them stopped using the Michael B. Jones, Akshay Kumar, Rolf Lindemann, key as it was slower than using the password manager built Adam Powers, and Johan Verrept. Client to Authentica- in their browsers. Furthermore, the security benefits were tor Protocol (CTAP). Proposed Standard fido-v2.0-ps- largely intangible or perceived as unnecessary by the partici- 20190130, FIDO Alliance, January 2019. pants. Another issue was the missing support of some browser and operating systems at the time of the study. All these adop- [7] Stéphane Ciolino, Simon Parkin, and Paul Dunphy. Of tion barriers should be minimized before introducing FIDO2 Two Minds about Two-Factor: Understanding Everyday (with security keys) to replace username and password-based FIDO U2F Usability through Device Comparison and authentication in a company. Experience Sampling. In Symposium on Usable Privacy
and Security, SOUPS ’19, pages 339–356, Santa Clara, In Financial Cryptography and Data Security, FC ’16, California, USA, August 2019. USENIX. pages 422–440, Accra Beach, Barbados, February 2016. Springer. [8] Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Cranor, and Nicolas [17] Sanam Ghorbani Lyastani, Michael Schilling, Michaela Christin. “It’s Not Actually That Horrible”: Exploring Neumayr, Michael Backes, and Sven Bugiel. Is FIDO2 Adoption of Two-Factor Authentication at a University. the Kingslayer of User Authentication? A Comparative In ACM Conference on Human Factors in Computing Usability Study of FIDO2 Passwordless Authentication. Systems, CHI ’18, pages 456:1–456:11, Montreal, Que- In IEEE Symposium on Security and Privacy, SP ’20, bec, Canada, April 2018. ACM. San Francisco, California, USA, May 2020. IEEE. [9] Sanchari Das, Andrew Dingman, and L. Jean Camp. [18] Grzergor Milka. Anatomy of Account Takeover. In Why Johnny Doesn’t Use Two Factor A Two-Phase USENIX Enigma Conference, Enigma ’18, Santa Clara, Usability Study of the FIDO U2F Security Key. In Fi- California, USA, January 2018. USENIX. nancial Cryptography and Data Security, FC ’18, pages 160–179, Santa Barbara Beach, Curação, February 2018. [19] Hannah Jean Miller, Jacob Thebault-Spieker, Shuo Springer. Chang, Isaac Johnson, Loren Terveen, and Brent Hecht. “Blissfully Happy” or “Ready to Fight”: Varying Inter- [10] Jessica T. DeCuir-Gunby, Patricia L. Marshall, and Alli- pretations of Emoji. In AAAI Conference on Web and son W. McCulloch. Developing and Using a Codebook Social Media, ICWSM ’16, pages 259–268, Cologne, for the Analysis of Interview Data: An Example from Germany, May 2016. AAAI. a Professional Development Research Project. Field methods, 23(2):136–155, December 2011. [20] Adam Moore, Christina M. Steiner, and Owen Conlan. Design and Development of an Empirical Smiley-Based [11] Geoffrey B. Duggan, Hilary Johnson, and Beate Grawe- Affective Instrument. In Workshop on Emotions and Per- meyer. Rational Security: Modelling Everyday Pass- sonality in Personalized Services, EMPIRE ’13, pages word Use. International Journal of Human-Computer 41–52, Rome, Italy, January 2013. CEUR. Studies, 70(6):415–431, June 2012. [21] National Commission for the Protection of Hu- [12] European Parliament and Council of the European man Subjects of Biomedical and Behavioral Union. Directive 2011/62/EU of the European Par- Research. The Belmont Report: Ethical Princi- liament and of the Council of 8 June 2011 amending ples and Guidelines for the Protection of Human Directive 2001/83/EC on the Community code relating Subjects of Research, September 1978. https: to medicinal products for human use, as regards the //www.hhs.gov/ohrp/regulations-and-policy/ prevention of the entry into the legal supply chain of belmont-report/index.html, as of April 30, 2020. falsified medicinal products. Official Journal of the European Union, 174(1):74–87, July 2011. [22] National Cyber Security Centre. Common Words and Phrases Relating to Cyber Security, January [13] FIDO Alliance. The FIDO (“Fast IDentity Online”) Al- 2018. https://www.ncsc.gov.uk/information/ liance – Industry Association to Promote Authentication ncsc-glossary, as of April 30, 2020. Standards, February 2013. https://fidoalliance. org, as of April 30, 2020. [23] Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. A Us- [14] Eszter Hargittai and Yuli Patrick Hsieh. Succinct Survey ability Study of Five Two-Factor Authentication Meth- Measures of Web-Use Skills. Social Science Computer ods. In Symposium on Usable Privacy and Security, Review, 30(1):95–107, February 2012. SOUPS ’19, pages 357–370, Santa Clara, California, USA, August 2019. USENIX. [15] Kat Krol, Eleni Philippou, Emiliano De Cristofaro, and M. Angela Sasse. “They brought in the horrible key ring [24] Joshua Reynolds, Trevor Smith, Ken Reese, Luke Dick- thing!” Analysing the Usability of Two-Factor Authen- inson, Scott Ruoti, and Kent Seamons. A Tale of Two tication in UK Online Banking. In Workshop on Usable Studies: The Best and Worst of YubiKey Usability. In Security, USEC ’15, San Diego, California, USA, Febru- IEEE Symposium on Security and Privacy, SP ’18, pages ary 2015. ISOC. 872–888, Oakland, California, USA, May 2018. IEEE. [16] Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius [25] Frank Stajano. Pico: No More Passwords. In Workshop Schilder, and Sampath Srinivas. Security Keys: Practi- on Security Protocols, SPW ’11, pages 49–81, Cam- cal Cryptographic Second Factors for the Modern Web. bridge, United Kingdom, March 2011. Springer.
You can also read